CEH Certification Overview

Questions and Answers

What is required in order to apply for the ANSI-accredited CEH certification?

• Two years of related work experience (correct)
• Three years of relevant work experience
• Completion of a related degree
• A letter of recommendation

What is the cost of a Pearson VUE exam voucher for the CEH certification?

• $1,050
• $1,199 (correct)
• $1,500
• $950

Which of the following statements about the application process for CEH certification is true?

• An application fee is waived for everyone
• You need a background check to apply
• The application is valid for three months (correct)
• The application remains valid indefinitely

What does EC-Council stand for?

International Council of Electronic Commerce Consultants (B)

What was the primary motivation behind the establishment of the EC-Council?

To combat cyber attacks following 9/11 (A)

What type of fee must applicants pay to apply for CEH certification?

A non-refundable application fee (D)

How many countries does the EC-Council operate in?

145 (D)

Which of the following is NOT a prerequisite for obtaining an EC-Council voucher?

Having a bachelor's degree (D)

What is the primary goal of ethical hacking?

To test systems in order to improve security posture (D)

What term is often used interchangeably with ethical hacking?

Penetration testing (A)

Which of the following statements is true regarding data breaches since 2005?

At least 10 million records have been compromised annually. (D)

What is one method organizations can use to improve their defenses against attacks?

Testing attacks against their own infrastructure (C)

Which of the following best describes red teaming?

An adversarial penetration test of an organization's defenses (C)

What typically happens when ethical hackers perform their work?

They are often contracted by organizations to improve security (A)

What was a significant concern regarding the total value of stolen data?

There has been minimal accounting of it (B)

What is one misconception about ethical hacking?

It involves malicious activities similar to hacking (C)

What percentage of infiltrations are often attributed to social engineering attacks?

80 to 90 percent (B)

Which of the following services may provide usernames when queried correctly?

Simple Mail Transfer Protocol (SMTP) servers (C)

What is the main objective during the scanning and enumeration phase?

To gain access through exposed network services (A)

Which protocols can provide shared directory information on Windows servers?

Server Message Block (SMB) and Common Internet File System (CIFS) (D)

Which of the following is NOT commonly documented when identifying services on available hosts?

Logins used during service access (D)

What critical information can scanning reveal about services running on a host?

Software and details related to the service (C)

Why is it important to track single hosts among various networks?

They may house sensitive data or services that are entry points. (B)

What type of data might social engineering attacks exploit?

Personal information of employees (B)

What is a primary function of Data Link layer protocols?

Formatting data to be sent on the transmission medium (C)

Which of the following is considered a Physical layer protocol?

1000BaseT (A)

Which layer does the Secure Shell (SSH) protocol primarily operate at?

Session layer (D)

What issue is associated with mapping protocols to the OSI model?

Confusion about how protocols correlate with layers (A)

In relation to ARP, what role does it serve between the Data Link layer and another layer?

It bridges Layer 2 and Layer 3 addressing (D)

Why is understanding the OSI layers beneficial when diagnosing network issues?

It enables isolation of functionality related to specific layers (C)

Which statement about routers is true?

Routing is a Layer 3 function usually found in routers (B)

What is a major characteristic of the TCP/IP architecture development?

It evolved quickly beyond its original connections (D)

What is the primary goal of reconnaissance in ethical hacking?

To gather detailed information about the target (D)

How does a red teamer approach testing compared to a traditional tester?

They think like an attacker to avoid detection (B)

What is the purpose of a code of conduct for Certified Ethical Hackers (CEH)?

To ensure ethical behavior in their actions (A)

What does footprinting primarily involve in ethical hacking?

Determining the size and appearance of the organization (A)

Which of the following is NOT a reason for performing reconnaissance?

To conduct a direct attack on the target system (A)

What aspect makes ethical hacking testing particularly challenging?

It requires thinking like an attacker (D)

In the context of ethical hacking methodologies, what is essential for repeatability and verification?

Following a structured methodology (A)

What can businesses achieve by utilizing information from each stage of ethical hacking?

Strengthen their security posture (C)

What is the primary purpose of the IP identification field in a packet?

To identify fragments of the same packet that share the same identification number (A)

Which of the following best describes a SQL injection attack?

An attack that uses altered SQL queries to manipulate application flow (A)

What is the main reason malware is difficult to acquire through the Apple App Store and Google Play Store?

Apps undergo a vetting process before being approved (C)

What is the function of DHCP in a network?

To assign IP configurations to endpoints (D)

How does heap spraying work in the context of cyber attacks?

By injecting code into running applications via the heap memory (B)

What is the subnet mask for a /21 network?

255.255.248.0 (B)

Which characteristic distinguishes a worm from a virus in malware terms?

Worms can self-propagate without user action (C)

What is one of the least effective ways to introduce malware onto a mobile device?

By using external storage options (B)

What is a characteristic of a worm?

It can self-propagate. (D)

Which formula correctly calculates risk?

Probability * loss (B)

How does an evil twin attack primarily work?

Spoofing an SSID. (C)

What solution is used to remove malware from the network before reaching an endpoint?

Unified threat management appliances. (D)

What encoding type has been applied to the string '%3Cscript%3Ealert(‘wubble’);%3C/script%3E'?

URL encoding. (A)

What type of records would you retrieve with the command 'dig ns domain.com'?

Name server records. (D)

What is one function specified by NIST’s cybersecurity framework?

Identify. (A)

Which of the following best describes the purpose of a security policy?

To set high-level guidelines on security practices. (A)

What does the command 'tcpdump -i eth2 host 192.168.10.5' capture?

Traffic to and from 192.168.10.5 (B)

What is the primary purpose of Diffie-Hellman?

Key exchange (C)

Which principle makes social engineering attacks noticeable through the perceived authority of the attacker?

Authority (A)

How is authentication performed using SNMPv1?

Community string (D)

What is an ARP response generated without a prior ARP request known as?

Gratuitous ARP (B)

What is a common reason to exploit a local vulnerability?

Privilege escalation (A)

Which property of the security triad does the Biba security model primarily concern?

Integrity (D)

Why is bluesnarfing considered more dangerous than bluejacking?

Bluesnarfing installs keyloggers. (D)

How is risk defined in the context of loss events?

The probability of an event multiplied by the dollar value of loss. (A)

Which statement accurately describes the nature of an evil twin attack?

It employs an access point that mimics a legitimate wireless network. (B)

What role does a Unified Threat Management appliance serve?

It combines multiple security features including antivirus and firewalls. (A)

Which encoding method is specifically designed for rendering non-printable characters in text?

Base64 encoding (A)

What are MX records used for in a domain's DNS settings?

To identify mail exchanger servers. (D)

What is the primary function of a DNS query?

To convert URLs into IP addresses. (A)

Why is seeking direct policy guidance ineffective when developing security procedures?

Procedures are meant for operational direction, not policy. (C)

What distinguishes a cryptographic hash from encryption?

Encryption converts readable data into a format that is difficult to decipher. (C)

What must be disclosed when you identify issues while engaging a client's services?

Potential conflicts of interest (A)

How should a responsible disclosure of vulnerabilities be carried out?

Through collaboration with relevant vendors and CERTs (C)

What is the ethical approach when unintentional damage occurs during testing?

Ensure it is communicated and agreed upon with the company (C)

What key element is vital to protect while performing ethical hacking tasks?

Client’s or company's equipment and data (B)

What is the primary purpose of responsible disclosure?

To ensure that vulnerabilities are addressed before being made public (B)

Which of the following is NOT allowed under the code of ethics for ethical hackers?

Using equipment for personal projects (B)

What should be done if a vulnerability impacts a large number of people across the Internet?

Work with vendors and CERTs to address it responsibly (A)

What type of actions are ethical hackers strictly prohibited from engaging in?

Engaging in illegal activities and past convictions (C)

Why is it important for certified ethical hackers to understand ethics?

To behave ethically when accessing sensitive information. (B)

What aspect of ethical hacking is emphasized by the phrasing 'ethical hacking' rather than 'hacking ethically'?

The primary focus on ethics in hacking activities. (A)

What is a critical requirement when ethical hackers are entrusted with sensitive information?

They are required to keep the information private. (D)

How does a poor understanding of ethics impact a certified ethical hacker's career?

It could compromise the confidentiality of sensitive information. (C)

What does the code of ethics for certified ethical hackers primarily focus on?

Safeguarding clients' and employers' sensitive information. (A)

What is one of the consequences of failing to protect sensitive information as an ethical hacker?

Violation of the code of ethics and potential legal repercussions. (A)

What overarching reason is given for understanding the context behind ethical hacking examinations?

It provides insight into the intentions of the certification process. (C)

How does the concept of ethics in hacking differ among individuals?

There can be varying perspectives on what is ethical and unethical. (B)

What distinguishes black hat hackers from white hat hackers?

Black hat hackers operate outside the law, while white hat hackers do not. (A)

Which type of hacker operates in the ethical gray area?

Gray hat hackers (A)

What is necessary to ensure ethical hacking actions are considered legitimate?

Documenting the scope of activities in writing (B)

What can potentially happen when ethical hackers go outside the defined scope of their work?

Their actions could be deemed unethical. (C)

How many devices were believed to be compromised by the Mirai botnet?

Between 100,000 and 1 million (B)

How does the media typically portray cyber attacks?

Reporting incidents involving large-scale data thefts (C)

What is a characteristic of gray hat hackers?

They sometimes operate outside legal boundaries for good. (B)

What is typically not shown in media reports about cyber crime?

The number of infected personal devices (B)

Which chapter primarily addresses security testing and vulnerabilities?

Chapter 7 (B)

What is a necessary action to take before checking in on the day of the exam?

Show two valid, unexpired forms of ID (A)

Which objective maps to the topic of ethics in the context of systems and security?

1.6 Ethics (D)

Which objective covers procedures and methodology?

2.5 Procedures/methodology (B)

Which chapters would you consult for background information?

Chapters 2, 3 (B)

Which chapter addresses mitigation strategies?

Chapter 7 (C)

What must one of the two forms of ID include when checking in for the exam?

A photo (B)

What is the focus of Objective 2.6?

Regulation/policy (C)

What is one of the primary objectives of reconnaissance in ethical hacking?

To understand the scope of the endeavor (D)

What does footprinting primarily involve in the context of ethical hacking?

Determining the appearance and size of the target organization (C)

Which statement accurately represents the role of red teamers?

They mimic attackers to evaluate security effectiveness (B)

How does the methodology of ethical hacking benefit organizations?

It provides a consistent and verifiable approach to security assessments (A)

What is a requirement for professionals who obtain the Certified Ethical Hacker (CEH) certification?

They must agree to a code of conduct governing their actions (D)

What is a key challenge faced by individuals performing ethical hacking?

Adopting the mindset of an attacker (D)

Which characteristic of a SQL injection attack is critical for its execution?

The use of SQL queries to manipulate database operations (A)

What action is involved in the reconnaissance phase of ethical hacking?

Collecting information from social media about employees (B)

What makes the use of third-party app stores a notable security concern?

They do not typically vet submitted apps (B)

What makes the methodology of ethical hacking particularly essential?

It ensures actions are repeatable and verifiable (B)

How does DHCP function within a network?

To provide IP configuration to endpoints (B)

What differentiates a worm from a virus in malware propagation?

Worms self-propagate without user action (C)

What is the purpose of heap spraying in a cyber attack?

To inject attack code into allocated memory spaces (C)

Which subnet mask corresponds to a /20 network?

255.255.240.0 (A)

What is one reason that malware is difficult to obtain through official app stores?

There is a thorough vetting process for apps (C)

What function do Layer 2 addresses serve in a network?

They identify the network interface for communication. (D)

Which of the following protocols operates at the Data Link layer?

Address Resolution Protocol (ARP) (C)

Which Physical layer protocol is known for handling the transmission of data at 1000 Mbps?

1000BaseT (B)

What is the challenge associated with the OSI model in networking?

Some protocols operate between the defined layers. (C)

Which of the following best describes the Secure Shell (SSH) protocol's operation layer?

It primarily resides at the Session layer. (C)

What does a router's functionality encompass in relation to the OSI model?

It includes both Layer 2 and Layer 3 functions. (D)

What does understanding the OSI model enable for network diagnostics?

It assists in isolating problems by layer functionality. (D)

Which of the following correctly defines the role of VLANs in a network?

They combine multiple physical networks into one virtual network. (C)

What happens when logs are wiped on a Windows system?

A log entry is created showing the logs have been wiped (A)

Why is it important to adhere to a code of ethics in ethical hacking?

To ensure all actions are legal and harmless (A)

What plays a significant role in understanding network functionalities?

Conceptual understanding of communications protocols (A)

What is a key challenge in the process of covering tracks during ethical hacking?

Preventing any log entries from being created (D)

Which model is commonly used to describe communications protocols?

Open Systems Interconnection (OSI) model (B)

What is a potential consequence of failing to adhere to ethical standards in ethical hacking?

Legal repercussions and loss of certification (D)

What is the primary reason understanding network topologies is important in ethical hacking?

To better understand potential attack vectors and defenses (C)

How might wiping logs be interpreted by an observer?

As a sign of malicious intent requiring further investigation (A)

What is the fundamental component of the Triad in security fundamentals?

Confidentiality (B)

Which network type connects all nodes through a central hub?

Star Network (A)

In the context of ethical hacking, what does 'covering tracks' primarily refer to?

Log file manipulation (A)

What is an example of a denial of service attack?

Frequent ping requests (A)

Which of the following best describes the role of the Simple Mail Transfer Protocol (SMTP)?

Sending and receiving emails (B)

In malware analysis, what technique is used to evaluate malware's behavior during execution?

Dynamic Analysis (C)

What is the primary focus of a vulnerability scan?

Identifying security weaknesses (D)

Which type of social engineering attack involves manipulation through impersonation?

Pretexting (A)

What is the significance of the Packet Capture process?

Analyzing network traffic (C)

Which of the following best describes SQL Injection?

An attack that alters the SQL queries of a database (A)

Which cryptographic technique uses the same key for both encryption and decryption?

Symmetric Key Cryptography (B)

What is a major characteristic that differentiates a trojan from a virus?

Trojan disguises itself as legitimate software (B)

In security architecture, which model primarily focuses on ensuring confidentiality of information?

Bell-LaPadula Model (A)

Which of the following is a method of passive reconnaissance?

Querying DNS records (B)

What is the main purpose of a zone transfer in DNS?

To get all the contents of a DNS zone (C)

Which of the following best describes a DNS amplification attack?

A small DNS query resulting in a much larger response sent to a target (A)

What role does ICMP play in network diagnostics?

It is used to send error messages and operational information. (D)

Which function is NOT included in the NIST cybersecurity framework?

Audit (B)

What is one challenge of using Python for malware development?

You may require a Python interpreter to run scripts. (D)

What is the primary purpose of the Diffie-Hellman key exchange?

To allow parties to derive the same key for encryption (B)

What characteristic distinguishes a tunneling attack?

Sending commands via a hidden protocol within another (D)

Which aspect of imitating someone relates to social engineering?

Using trust to manipulate individuals into giving access (C)

What protocol replaced the initial 1822 protocol in the development of network communications?

Network Control Program (NCP) (B)

Which of the following correctly describes the primary difference between the OSI model and TCP/IP architecture?

TCP/IP architecture is simpler and consists of four layers. (A)

In the TCP/IP model, which layers are combined from the OSI model?

Session, Presentation, and Application layers (B)

What is a characteristic of the TCP/IP architecture in relation to the OSI model?

It is an as-built definition unlike the conceptual nature of OSI. (B)

By what year was the Network Control Program (NCP) completely replaced by TCP/IP?

1983 (B)

Which layer is common in both the OSI model and TCP/IP architecture?

Transport Layer (A)

What generally distinguishes the TCP/IP architecture design from the OSI model?

TCP/IP has fewer layers and is more straightforward. (C)

In terms of protocol design, how are the OSI model and TCP/IP architecture similar?

They include similar names for certain layers. (A)

What is the primary risk associated with unauthorized copying of a publication?

Loss of revenue for the publisher (B)

What does the limit of liability disclaimer indicate about the content of the work?

Professional assistance may be needed for specific advice (A)

Which of the following is likely a consequence of not obtaining permission for publication reproduction?

Potential legal ramifications for copyright violation (A)

Why might the advice and strategies in this work not be suitable for every situation?

They are context-specific and situation-dependent (B)

What primary concern is associated with the completeness of the contents of a publication?

Lack of comprehensive coverage of a subject (A)

What is the purpose of the ISBN listed for a publication?

To provide a unique identifier for the book (C)

What role does the Permissions Department play in relation to publication rights?

To grant or deny requests for reproducing content (B)

What might be a reason for a publisher to deny reproduction requests?

To maintain control over intellectual property (A)

What was the primary goal of establishing the OSI model?

To define a set of standards for communication (B)

How many layers are there in the OSI model?

Seven layers (D)

Which layer of the OSI model is responsible for user interaction?

Application Layer (A)

Which mnemonic helps in remembering the order of the OSI model from bottom to top?

Please Do Not Touch Steve’s Pet Alligator (A)

What concern was raised regarding the OSI model after it was published?

Its complexity and potential for implementation issues (A)

How do professionals typically reference functionalities of the OSI model?

By the layer number (A)

What happens as you move from the Physical layer to the Application layer in the OSI model?

User interaction increases (A)

What conceptual advantage does the OSI model provide?

It clarifies interface points for easier interaction (C)

What does ethical hacking primarily aim to achieve?

To imitate malicious attacks for stronger defenses (C)

What is red teaming commonly considered to be?

An adversarial penetration testing approach (A)

Which of the following describes the frequency of data breaches reported since 2005?

There has been at least one significant breach every year (A)

How does ethical hacking contribute to software testing?

By identifying bugs that could lead to exploits (B)

What common misconception exists about the role of ethical hackers?

Their primary goal is to steal data (B)

Which factor is critical for ethical hacking methodologies?

Repeatability and verification of the process (D)

What significant trend regarding data records has been observed in the United States?

Every adult has likely had their data compromised multiple times (D)

What is an essential strategy for businesses to enhance their defenses against cyber attacks?

Regularly testing their infrastructure against simulated attacks (B)

What is the primary expectation when identifying issues during service engagement?

To disclose identified issues to the engaged parties (B)

What represents a responsible manner of disclosing vulnerabilities?

Working with involved vendors before public disclosure (D)

What should an individual ensure when facing unexpected service outages during testing?

Keeping communication open with the right parties (C)

Which of the following actions is strictly prohibited under ethical guidelines?

Misusing equipment provided by the client (A)

What is an example of an unethical approach to handling vulnerabilities?

Publicly disclosing sensitive information without notice (C)

Which of the following actions aligns with ethical practices in cybersecurity?

Obtaining explicit consent for any security assessments (C)

Why is clear communication vital during testing phases?

It ensures all stakeholders are aware of potential risks (A)

What is a key factor to consider regarding conflicts of interest?

They must be disclosed to the involved parties (C)

What is a primary expectation of individuals holding a CEH certification?

To adhere to a strict code of conduct. (B)

Which module would NOT typically be included in CEH v10 training?

Software Development Life Cycle (B)

What is a significant component of the CEH exam's subject matter?

Technical knowledge and hands-on experience with tools. (B)

Which tool would likely be used during the scanning phase of ethical hacking?

nmap (A)

Which of the following best describes the 'Vulnerability Analysis' module in CEH training?

Assessing systems to identify security weaknesses. (A)

What is the focus of the 'Social Engineering' module in CEH v10 training?

Human psychology and behavior exploitation. (D)

Which module includes techniques to compromise web applications?

SQL Injection (B)

In the context of the CEH exam, what is the significance of knowing various tools?

It is necessary for applying knowledge in real-world scenarios. (B)

What is the application fee for the CEH certification if EC-Council training has not been completed?

$100 (B)

What is the minimum work experience required to apply for CEH certification?

2 (A)

How long is the application for CEH certification valid after submission?

3 (D)

Which of the following is a requirement to obtain an EC-Council voucher?

EC-Council training (C)

In how many countries does the EC-Council operate?

145 (A)

What is the primary concern that led to the establishment of the EC-Council?

Cyber terrorism (D)

What was the initial focus of the founder Jay Bavisi when creating the EC-Council?

Protection against digital threats (C)

Which factor significantly influences the change in tactics required for security testing today?

Evolving understanding of organized adversaries (C)

What percentage of attacks today are often attributed to social engineering tactics?

80-90 percent (B)

What is essential for gaining hands-on experience when preparing for the CEH certification?

Using tools in various operating systems (D)

Why is ethics a significant consideration in the field of security testing and ethical hacking?

It is essential to protect oneself and clients (C)

What is the primary challenge modern networks face according to the discussed security approaches?

They often face attacks from internal threats (C)

What aspect of attackers has changed, necessitating different security testing tactics?

Their overall level of organization and resources (D)

Which of the following best describes the current trend regarding security testing techniques?

They incorporate broader strategies including social engineering (C)

Which statement reflects a misconception about security vulnerabilities in networks?

Defense in depth approaches prevent all internal attacks (C)

Which objective focuses on the analysis and audits related to systems?

1.2 Systems analysis and audits (D)

Which of the following chapters does NOT address security testing and vulnerabilities?

Chapter 4 (C)

What is required in terms of identification when checking in for an exam?

Two valid, unexpired forms of personal ID (D)

Which chapter primarily covers the ethics involved in ethical hacking?

Chapter 1 (A)

Which objective addresses the development of policies and regulations in ethical hacking?

2.6 Regulation/policy (B)

Which of the following is NOT covered under the objective of Security testing and vulnerabilities?

Chapter 5 (D)

What is the primary purpose of an objective map in the context of ethical hacking?

To list the chapters where each objective is covered (C)

What is a requirement for arriving at the test center on the exam day?

Check in at least 30 minutes before the exam (A)

What is a common method used to maintain access to a compromised system?

Using a rootkit (B)

What can impact the success of re-compromising a system after initial access is lost?

Fixing of vulnerabilities (C)

Which of the following techniques is used for covering tracks after gaining access to a system?

Using malware to misreport system information (B)

Why might maintaining access require the installation of additional software?

To provide a means for re-accessing the system (C)

What is a reason that makes maintaining access particularly challenging?

System updates affecting exploit techniques (D)

What is a potential consequence of covering tracks inadequately?

Creation of evidence against the hacker (B)

What is one reason that a successfully compromised system might become difficult to access again?

Implementation of new user permissions (C)

Which factor can complicate the process of maintaining access on different operating systems?

Diverse security features across versions (C)

Which of the following is the primary goal of ethical hacking?

To identify and mitigate security risks (A)

Which of the following statements is NOT true regarding social engineering?

It exclusively uses online tactics to exploit targets (A)

Which of the following best describes a Denial of Service (DoS) attack?

An attack that prevents legitimate users from accessing a network service (D)

What is the significance of the Parkerian Hexad in security frameworks?

It emphasizes six essential elements of security (C)

What is one of the primary functions of firewalls in network security?

To filter incoming and outgoing network traffic based on security rules (C)

Which of the following best explains the term 'Privilege Escalation'?

Gaining elevated access rights to systems (A)

In the context of cryptography, what does 'asymmetric encryption' refer to?

Employing different keys for encryption and decryption (B)

What type of attack uses DNS spoofing?

Redirecting users to a malicious website (B)

Which of the following is NOT a component of the CIA triad?

Authenticity (D)

What type of malware is intended to provide unauthorized access for its creator?

Trojan (C)

Which method is commonly employed in physical social engineering attacks?

Pretexting through impersonation (B)

What does the concept of 'Defense in Depth' refer to?

Implementing multiple layers of security controls (A)

Which of the following is an example of a vulnerability scanning tool?

Nessus (B)

Flashcards

What is the EC-Council?

The EC-Council (International Council of Electronic Commerce Consultants) is a globally recognized organization that provides cybersecurity certifications.

What is the CEH certification?

The CEH (Certified Ethical Hacker) certification is a globally recognized credential that shows competence in ethical hacking practices and techniques.

Is the CEH certification ANSI-accredited?

The CEH certification is now ANSI-accredited, signifying that it meets rigorous industry standards.

Can I still get the new ANSI CEH if I have an older version?

Even if you have an older, non-ANSI CEH certification, you can still take the exam to obtain the new, ANSI-accredited certification.

What experience is needed for the ANSI CEH?

To be eligible for the ANSI CEH certification, you need at least two years of relevant experience in cybersecurity.

What is the application fee for the ANSI CEH?

To apply for the ANSI CEH certification, you need to pay a $100 application fee, unless you've taken an EC-Council training course.

How much does it cost to take the ANSI CEH exam?

To take the ANSI CEH certification exam, you need to purchase a Pearson VUE exam voucher for $1,199 or an EC-Council voucher for $950 if you've taken their training and have a certificate of attendance.

When and why was the EC-Council founded?

The EC-Council was founded after the 9/11 attacks, driven by the concern of cyberattacks becoming more prevalent.

Ethical hacking

A technique used to find security vulnerabilities in systems and software, with the aim of improving security.

Penetration testing

A type of ethical hacking that simulates real-world attacks to test an organization's defenses, like a red team in military exercises.

Red Teaming

A specific type of penetration testing where testers are adversarial to the organization and network, acting like real attackers.

Software security testing

The act of testing software to identify bugs or vulnerabilities that could be exploited by attackers.

Personal data

Data belonging to individuals, such as personal information, financial records, and medical records.

Understanding attacks

The act of being able to understand and replicate attacks to improve security.

Security posture

The overall security posture of a system or organization, including all its vulnerabilities and strengths.

Early and frequent testing

The importance of frequent and proactive security testing to identify and mitigate vulnerabilities.

SQL Injection - Always True Condition

A technique used in SQL injection attacks that forces the result of the SQL query to always return true. It's used to bypass security measures and gain unauthorized access to data.

Slowloris Attack

A type of network attack that exploits vulnerabilities in web servers by keeping connections open for an extended period, consuming server resources and making the server unresponsive.

Domain Name System (DNS)

A network protocol used to resolve a hostname (like www.example.com) to an IP address (like 192.168.1.10) and vice versa. It's like a phone book for the internet.

Heap Spraying

An attack that uses dynamically allocated space to store malicious attack code. It's designed to bypass security measures and execute code on the target system.

Worm

A malicious program that spreads itself from one computer to another without user interaction. It can replicate and spread rapidly, causing significant damage. It's like a disease that spreads without a host.

Buffer Overflow

A type of security attack where an attacker sends more data to an application than it can handle, causing the application to crash or expose sensitive information.

SQL Injection Attack

A type of network attack that exploits vulnerabilities in databases by injecting malicious SQL queries to manipulate data, gain unauthorized access, or cause damage.

Address Resolution Protocol (ARP)

A network protocol that allows devices on a local network to communicate with each other using MAC addresses. It maps IP addresses to MAC addresses.

What does the Data Link layer handle?

The Data Link layer is responsible for formatting data to be transmitted over a network's physical medium. It handles tasks like error detection and addressing at the local network level.

What is the role of the Physical layer?

The Physical layer is the lowest level of the OSI model, managing the physical transmission of data bits over a network cable or wireless medium. It governs how electrical signals are sent and received.

What is a MAC address?

A MAC address (Media Access Control) is a unique identifier assigned to each network interface card (NIC) in a device. It's a physical address used on a local area network (LAN) for communication between devices.

What is the OSI model?

The OSI model is a conceptual framework that divides network communication into seven distinct layers. Each layer performs a specific function, simplifying network complexity.

What is a router?

A router is a network device that forwards data packets between different networks based on their destination IP address. It connects networks and helps data flow efficiently across the internet.

What is a switch?

A switch is a networking device that connects multiple devices on a LAN. It allows communication between devices on the same network by forwarding data packets based on their MAC addresses.

What is a router/switch?

A device that combines both routing and switching functions, acting as a gateway between networks. It can route data packets between different network segments and switch data within a local network.

What is bridging?

Bridging refers to connecting two or more network segments, allowing devices on different network segments to communicate with each other. It offers a layer 2 function, similar to switching, but on a larger scale.

Information Gathering

The initial stage of ethical hacking where you gather information about your target, identifying their network blocks, individual systems, and potential entry points. This process may uncover sensitive information that can be used later in attacks.

Scanning and Enumeration

The process of scanning networks to identify active hosts and the services they run. This stage helps identify potential entry points for attackers.

Social Engineering

A type of attack that relies on tricking users into giving up sensitive information or granting unauthorized access. This is often considered the easiest way into a system.

Simple Mail Transfer Protocol (SMTP)

A network protocol used for sending and receiving emails. Attackers may exploit vulnerabilities in SMTP servers to gather information about users, like usernames.

Server Message Block (SMB)/Common Internet File System (CIFS)

A network protocol used for file sharing on Windows systems. Attackers may exploit SMB/CIFS vulnerabilities to gain access to shared folders and files, potentially finding sensitive information.

Vulnerability Analysis

A crucial stage in ethical hacking where you analyze the data gathered through scanning and information gathering to identify vulnerabilities and potential attack vectors.

Exploitation

The process of exploiting identified vulnerabilities to gain unauthorized access to a system or network. This step relies on the knowledge gathered during previous stages.

What is reconnaissance?

The initial phase of ethical hacking, focused on gathering information about the target organization, its systems, and online presence. This helps define the scope of the test and identify potential vulnerabilities.

What is footprinting?

A subset of reconnaissance that specifically focuses on identifying the target's network infrastructure, including its size, network blocks, host systems, geographic locations, and associated personnel. This helps establish a 'footprint' of the target's digital presence.

Why is a methodology essential for ethical hacking?

A set of structured steps or guidelines used to perform ethical hacking activities. It ensures consistency, repeatability, and verifiability of testing procedures, allowing for better reporting and remediation of identified vulnerabilities.

What is EC-Council?

An organization that promotes responsible and ethical cybersecurity practices. It offers the globally recognized Certified Ethical Hacker (CEH) certification, which demonstrates competency in ethical hacking techniques and adheres to a strict code of conduct.

What is CEH certification?

A globally recognized professional certification awarded by EC-Council. It affirms an individual's knowledge and skills in ethical hacking, emphasizing responsible and ethical use of hacking techniques.

What is the code of conduct for CEH certified professionals?

A set of principles and guidelines that CEH certified professionals must strictly adhere to. It emphasizes responsible hacking conduct, including minimizing harm, respecting confidentiality, and working towards enhancing the security posture of organizations.

What is ethical hacking?

The practice of simulating real-world hacking attacks on systems and networks to identify vulnerabilities and improve security defenses. This helps organizations strengthen their security posture by understanding how attackers might try to exploit weaknesses.

How does information obtained through reconnaissance and footprinting benefit organizations?

The information gleaned from reconnaissance and footprinting is critical for informing the security recommendations and improvements that can be implemented to strengthen the organization's security posture.

Methodology of Ethical Hacking

A structured process of ethical hacking that involves a series of steps including reconnaissance, scanning, enumeration, vulnerability analysis, exploitation, and reporting. This ensures a systematic approach to security testing and provides a clear framework for documenting findings and recommending solutions.

Reconnaissance

The process of gathering information about the target organization, its systems, and online presence, including publicly available data like website information, employee details, and network infrastructure.

Footprinting

A type of reconnaissance focusing on identifying the target's network infrastructure, including its size, network blocks, host systems, geographic locations, and associated personnel. It helps establish a 'footprint' of the target's digital presence.

Reporting

The practice of identifying and documenting the security vulnerabilities and weaknesses found during ethical hacking activities. It involves compiling the findings, providing detailed descriptions of discovered vulnerabilities, and recommending strategies for mitigation and remediation.

Switch

A network device that connects multiple devices on a LAN, allowing communication between devices on the same network by forwarding data packets based on their MAC addresses. It allows for efficient communication by providing a dedicated path for data transmission between connected devices.

Network Traffic Analysis

The process of gathering information about the target's network traffic, including internet activity, data transfers, communication patterns, and user behavior. This stage might involve using network sniffing tools to capture and analyze data packets, revealing communication patterns and potential vulnerabilities.

What is Penetration Testing Methodology?

The core steps in ethical hacking and penetration testing, outlined in a structured manner to ensure thoroughness and consistency.

What is Information Gathering in Ethical Hacking?

It's a crucial phase before any hacking, gathering information about the target, its systems, network blocks, and online presence to identify possible attack vectors.

What is Scanning and Enumeration in Ethical Hacking?

The act of scanning networks for active hosts and running services to identify potential weak points and entry points for attackers.

What is Vulnerability Analysis?

A stage where vulnerabilities identified during scanning and information gathering are analyzed to determine potential attack vectors and how they can be exploited.

Ethical Hacking Methodology

A structured approach to ethical hacking that ensures consistency, repeatability, and verifiability of testing procedures.

What is Exploitation in Ethical Hacking?

The critical step after vulnerability analysis, where identified weaknesses are exploited to gain unauthorized access or demonstrate the impact of an attack.

What is Footprinting in Ethical Hacking?

A core aspect of information gathering where the process of gathering information about target company, network, its personnel, and their locations is conducted.

What is the Importance of a Methodology for Ethical Hacking?

A structured approach to improve security and identify vulnerabilities by understanding how real attackers might try to exploit weaknesses.

OSI Model

A conceptual model used to describe communication protocols and their functions, divided into seven layers, each dedicated to a specific aspect.

Router

A networking device that connects different networks and forwards data packets between them based on destination IP addresses.

Tunneling Attacks

A technique used to hide one protocol inside another, often to bypass security measures or send unauthorized commands.

DNS Amplification Attack

A type of attack where a small DNS request triggers a much larger response sent to the target, amplifying the attack's impact.

DNS Recursion

The process of looking up information from one DNS server to another, typically in a hierarchical manner to find the most authoritative answer.

Zone Transfer

A process where a DNS server requests all the contents of a zone from a more authoritative server, ensuring the local server has the most up-to-date information.

Ping Sweep

A network scan that sends ICMP echo requests to a range of IP addresses to identify active hosts on the network.

NIST Cybersecurity Framework

A system for managing cybersecurity risks and establishing a framework for organizations to improve their security posture.

Diffie-Hellman Key Exchange

A cryptographic method used for key exchange, allowing two parties to securely establish a shared secret key for communication.

Python for Malware Development

A programming language known for its simplicity and readability, often used in malware development due to its easy availability and wide range of libraries.

Disclosure of Information

Informing those involved about identified issues and potential conflicts of interest.

Responsible Disclosure

A responsible approach to revealing vulnerabilities, working with vendors and CERTs before public disclosure.

Ethical Use of Resources

Agreeing to not misuse client or company resources, including avoiding damage.

Compliance with Law

The principle of avoiding any illegal actions or activities.

Information Gathering (Ethical Hacking)

Gathering information about a target, including systems, network blocks, and online presence.

Vulnerability Analysis (Ethical Hacking)

Analyzing identified vulnerabilities to determine potential attack vectors and how they can be exploited.

Exploitation (Ethical Hacking)

Exploiting vulnerabilities to gain unauthorized access or demonstrate the impact of an attack.

1822 Protocol

A historical networking protocol used on the initial ARPANET, later superseded by the TCP/IP suite.

TCP/IP Architecture

A suite of protocols used for communication on the internet. Consists of four layers: Application, Transport, Internet and Network.

Transport Layer

The layer in both the OSI Model and TCP/IP Architecture responsible for formatting data and providing reliable communication between applications.

Internet Layer

The layer in both the OSI Model and TCP/IP Architecture responsible for routing data packets across networks.

Application Layer (TCP/IP)

In the TCP/IP model, it combines functions of the OSI Model's Session, Presentation and Application layers to focus on network applications.

Physical Layer (OSI)

The layer in the OSI Model responsible for controlling the physical transmission of data bits over a network cable or wireless medium.

Physical Layer

The lowest layer of the OSI model, responsible for the physical transmission of data bits over a network cable or wireless medium.

Data Link Layer

The second layer of the OSI model, responsible for formatting data for transmission over a physical medium, handling error detection and addressing at the local network level.

Network Layer

The third layer of the OSI model, responsible for routing data packets between networks, ensuring data packets reach their intended destination.

Session Layer

The fifth layer of the OSI model, responsible for managing communication between devices, including session establishment, termination, synchronization, and data exchange.

Presentation Layer

The sixth layer of the OSI model, responsible for presenting data in a format that can be understood by other applications, handling data encryption and decryption, and data compression.

Application Layer

The seventh and highest layer of the OSI model, responsible for user interactions with network applications and providing services like email, file transfer, and web browsing.

Penetration Testing Methodology

A structured process used in ethical hacking to test an organization's security, revealing vulnerabilities and recommending improvements.

Information Gathering in Ethical Hacking

The initial stage of ethical hacking, focusing on collecting information about the target, its systems, and online presence to pinpoint vulnerabilities.

Scanning and Enumeration in Ethical Hacking

The process of scanning networks for active hosts and running services to identify potential weak points for attackers.

Vulnerability Analysis in Ethical Hacking

The step where vulnerabilities found during scanning and information gatheringare analyzed to determine potential attack vectors.

Exploitation in Ethical Hacking

The critical step after vulnerability analysis where identified weaknesses are exploited to gain unauthorized access or demonstrate the impact of an attack.

Footprinting in Ethical Hacking

A core aspect of information gathering where the process of gathering information about the target company, network, its personnel, and their locations is conducted.

Importance of a Methodology for Ethical Hacking

A structured approach to improve security and identify vulnerabilities by understanding the attackers' motives and methodologies.

What's the experience required for the ANSI CEH?

The minimum requirement to apply for the ANSI-accredited CEH certification, signifying a hands-on understanding of cybersecurity.

What's the cost of the ANSI CEH application?

The fee associated with the CEH application, unless you've completed an EC-Council training course, demonstrating commitment.

What is Vulnerability Analysis in Ethical Hacking?

The step in ethical hacking where identified vulnerabilities are analyzed to determine their potential for exploitation by attackers, understanding the risks.

Scanning and Enumeration (Ethical Hacking)

The act of scanning networks for active hosts and running services to identify potential weak points and entry points for attackers.

Footprinting (Ethical Hacking)

A core aspect of information gathering where the process of gathering information about the target company, network, its personnel, and their locations is conducted.

Maintaining Access: Why is it important?

A technique used to maintain access to a compromised system, often by installing malware like rootkits to create backdoors, obscure actions, and establish persistent access. This ensures continued monitoring and potential further exploitation.

Covering Tracks: How do you hide your activity?

The practice of hiding or deleting evidence of your presence on a compromised system. This can involve deleting logs, using malware to misreport system information, and obscuring network connections.

Maintaining Access: Software Installation

Installing software on a target system after the initial compromise to maintain access. Requires copying the software, which can be challenging depending on the system's security measures.

Covering Tracks: Obscuring your presence

Hiding the existence of a backdoor or other malicious software on a compromised system, often by masking its actions, altering system logs, and manipulating network traffic patterns.

Rootkits: What do they do?

Malware that provides persistent access to a compromised system, even after the initial attack. This can be used to monitor activity, exfiltrate data, or launch further attacks.

Establishing Persistent Access

A method for maintaining access to a compromised system, often used by attackers for persistent monitoring and control. This allows them to continue their operations, even if the initial attack vector is removed.

Covering Tracks: Log Manipulation

The act of modifying system logs to hide or distort evidence of an attack. This involves manipulating the records of system events to make it appear like an attack never happened.

Exploitation: What is it in ethical hacking?

A critical step in ethical hacking and penetration testing, involving the strategic use of identified vulnerabilities to gain unauthorized access or demonstrate the impact of an attack.

Study Notes

CEH Certification

• CEH certification is ANSI-certified, with previous versions existing before accreditation.
• Individuals with earlier CEH certifications can still take the ANSI-accredited exam.
• Minimum two years related work experience required.
• Non-refundable $100 application fee for those meeting experience requirements.
• EC-Council training completion required; fee included for trainees.
• Application validity: three months.
• EC-Council's code of conduct emphasizes ethical behavior for CEH-certified professionals.
• The CEH exam tests technical knowledge and adheres to a code of conduct.
• CEH certification holders must remain discreet and ethical in their activities.

Exam Cost

• Pearson VUE exam voucher required; cost: $1,199.
• EC-Council voucher available for $950, if EC-Council training and Certificate of Attendance are provided.

EC-Council Overview

• EC-Council (International Council of Electronic Commerce Consultants) was founded after the 9/11 attacks.
• Founder Jay Bavisi recognized the potential for digital threats beyond the physical world.
• The Internet’s low entry barriers encourage criminal activity, such as data theft and ransom.
• EC-Council is a major global certifying body, active in 145 countries, certifying over 200,000 individuals.
• Provides multiple IT certifications, including the CEH.

SQL Injection Attacks

• SQL injection exploits SQL queries to alter application logic.
• Attacks aim to force SQL queries to always return True, often by manipulating existing queries.

Mobile Malware

• Apple App Store and Google Play Store vet apps, hindering malware installation.
• External Android storage is not a reliable malware infection vector.
• Jailbreaking can potentially allow malware intrusion but isn't the primary method.
• Third-party app stores pose a greater risk due to varying vetting standards.

Network Protocols

• DHCP assigns IP configurations to endpoints.
• DNS translates hostnames to IP addresses (and vice-versa).
• RARP maps MAC addresses to IP addresses.
• ARP translates IP addresses to MAC addresses for local network communication.
• IP addresses are used for communication beyond the local network.
• ARP functions at the Data Link layer but relies on Network layer information.

Attack Techniques

• Heap spraying uses dynamically allocated memory to store attack code.
• Slowloris attacks hold open web server connection buffers.
• SQL injection injects SQL queries into a database server.
• Buffer overflows send excessive data, exceeding allocated memory space.

Subnet Masks

• /23 network mask: 255.255.254.0
• /22 network mask: 255.255.252.0
• /20 network mask: 255.255.240.0
• /21 network mask: 255.255.248.0

Worms vs. Viruses

• Worms and viruses can use polymorphic code to change themselves.
• Worms self-propagate, whereas viruses require user interaction.

Data Breaches

• Data breaches exceeding 10 million records annually emerged by 2005, with 200 million records breached in 2017.
• Implication is wide-spread individual data compromise.

Ethical Hacking Methodology

• Replicating attacker methods helps improve security.
• Ethical hacking actively tests systems for vulnerabilities, enhancing the target's security.
• Aims to increase security without causing damage.
• Penetration testing, red teaming, and similar activities overlap with ethical hacking.
• A methodology ensures repeatable and verifiable testing procedures.
• EC-Council's code of conduct stresses ethical behavior for CEH-certified professionals.
• Reconnaissance, scanning, and enumeration are stages in the methodology.
• Brute-force techniques can identify hostnames, but not comprehensively. Recursive requests are common for authoritative DNS responses. Zone transfer retrieves entire zone contents.
• Tunneling attacks can hide one protocol within another, possibly for OS command transmission (eg. hide a command within a DNS request). DNS amplification attacks exploit small requests for large responses (exploit a DNS request to generate a large response). DNS recursion enables information lookup. XML entity injection is a web-based attack unrelated to DNS.
• Ping sweeps identify responsive hosts without extensive port scans. Often ICMP is allowed through firewalls for troubleshooting. NIST cybersecurity framework includes five functions: identify, protect, detect, respond, recover.
• Python interpreters generally are considered slightly slower than compiled programs, though the difference doesn't greatly impact malware. Python's many community libraries are useful, though Python requires an interpreter.

Reconnaissance & Footprinting

• Understanding the target system's environment is essential.
• Reconnaissance identifies target details (people, location, network blocks).
• Public information helps unearth potential vulnerabilities.
• Wiping logs on a Windows system sometimes creates a log entry, potentially suggesting malicious intent.
• Covering tracks can be difficult to achieve perfectly.

Scanning & Enumeration

• After network block identification, scanning and enumerating accessible systems/services is crucial.
• Finding open ports, identifying services, and discovering running software are key elements for scanning.
• Gathering details about services and software helps understand organizational structure.

Network Layers

• OSI model conceptually depicts network functionality.
• Issues relating to functional mapping between network layers are discussed.
• Routing and bridging are explained as Layer 2 vs Layer 3 functions.
• TCP/IP architecture developed in the late 1960s, refined to become a network communication model.
• MAC addresses identify network interfaces for local communication.
• Physical layer protocols handle wire pulse management.
• Different protocols can exist between OSI layers and within layers. 
• Routing, switching, and bridging can reside in one networked device (e.g., router).
• Proprietary protocols in early communication systems made interoperability difficult.
• ISO standards, developed in the late 1970s, improved interoperability.
• The seven-layer OSI model is visualized from the physical layer up to the application layer.
• Messages are created from the application layer down.
• Mnemonics like "Please Do Not Touch Steve's Pet Alligator" help layer memorization (usually memorized bottom to top).
• Early protocols like 1822 and NCP were later supplanted by TCP/IP.
• TCP/IP is conceptually simpler than OSI, with four layers, reflecting the usual implementation. Similar layers exist between the models (Application, Transport, Internet/Network, Link).

Certificates

• Certificates can be revoked; Diffie-Hellman is about key exchange, not revocation. Key management is broader than Diffie-Hellman’s role in establishing keys for encrypted communication.

Additional Topics

• Systems development and management

• Systems analysis and audits

• Security testing and vulnerabilities

• Reporting

• Mitigation

• Ethics

• Background

• Analysis/assessment

• Security

• Tools, systems, and programs

• Procedures/methodology

• Regulation/policy

• Ethics

• Network technologies

• Communications protocols

• Telecommunications technologies

• Network topologies

• Subnetting

• Communications Models (OSI & TCP/IP)

• Topologies (bus, star, ring, mesh, hybrid)

• Physical networking (addressing, switching)

• IP, TCP, UDP, Internet Control Message Protocol, and related internetworking components

• Network architectures, network types, isolation, remote access

• Cloud computing (storage, infrastructure, platform, software, IoT)

• Maintaining Access: Maintaining access after compromising a system requires ongoing means of access, potentially involving rootkits or other software to conceal actions, and re-entry methods for cases of compromised systems going offline or system changes. Compromises are not guaranteed for re-entry. Exploits based on vulnerability can be invalidated by updates or patches.

• Covering Tracks: Hiding actions or evidence is crucial, which may include altering logs or misrepresenting system data, such as network connections (malware can help with this)